The 7 Sins in Governing Cloud Third-Party Risk Under NIS2 and DORA

Cloud now sits beneath critical services across the European Union. That much is settled. Less settled is whether governance has caught up.

For years, many organisations treated cloud as a technical migration wrapped in a procurement review. That approach is no longer enough. Under NIS2 and DORA, cloud dependency must be governed as a resilience issue with direct implications for accountability, oversight, and risk ownership.

The question for boards, CISOs, internal audit leaders, and risk functions is no longer whether the cloud is broadly secure. It is whether the organisation has a control model robust enough to manage the dependencies that the cloud creates.